The libpng library in Red Hat Enterprise Linux 8 contains three security vulnerabilities: CVE-2026-22801 involves information disclosure and denial of service via integer truncation in the simplified write API; CVE-2026-22695 involves denial of service and information disclosure via a heap buffer over-read in the png_image_finish_read function; CVE-2026-25646 is a heap buffer overflow in the png_set_quantize function. These vulnerabilities could potentially allow attackers to cause denial of service or leak information when processing PNG images. Red Hat has released updated libpng packages to fix these issues as part of advisory RHSA-2026:4728. The advisory covers multiple architectures including x86_64, s390x, ppc64le, and aarch64. The update is classified as important, indicating a high security impact. No CVSS scores are provided in the advisory, and no active exploitation has been reported.

The vulnerabilities in libpng can lead to denial of service conditions and information disclosure when processing specially crafted PNG images. The heap buffer overflow could also potentially be exploited to cause memory corruption. These issues affect Red Hat Enterprise Linux 8 across multiple supported architectures. While no known exploits in the wild have been reported, the impact is considered high due to the possibility of service disruption and data leakage.

Red Hat has released updated libpng packages that address these vulnerabilities. Users of Red Hat Enterprise Linux 8 should apply the security update described in advisory RHSA-2026:4728 promptly. Detailed instructions for applying the update are available at https://access.redhat.com/articles/11258. Since this is an official fix from Red Hat, applying the update fully mitigates the vulnerabilities. No additional mitigation steps are required beyond installing the updated packages.